The present invention is related to cryptography and more specifically to the recovery of cryptographic keys.
Encryption may be used to maintain the security of information. Information such as a message transmitted between a sender and a receiver may be encrypted to ensure that third parties do not have access to it. A computer file stored on a computer may also be encrypted to ensure that parties without authorization cannot obtain the information contained in the file, even if they have access to or possess the physical media on which the file is stored.
Two types of conventional encryption methods are used to secure information from misappropriation. Symmetric encryption methods use a key to encrypt information and use the same key to decrypt information. A message transmitted from sender to recipient may be symmetrically encrypted as long as the sender and the recipient have agreed upon the key. The Data Encryption Standard (DES) is an example of a symmetric encryption algorithm, and is described in Schneier, Applied Cryptography, (2d. ed., John Wiley and Sons, 1996).
Another form of encryption is known as asymmetric encryption. Asymmetric encryption encrypts information using one key known as a xe2x80x9cpublic keyxe2x80x9d, and decrypts the information using a different key known as a xe2x80x9cprivate keyxe2x80x9d. The private key is mathematically related to the public key, but extremely difficult to determine even if the public key is known. Asymmetric encryption allows a person to post his or her public key for anyone to use to encrypt information to be sent to the holder of the private key. Messages encrypted using the public key remain secure against anyone but the person or persons who hold the private key.
The pair of public and private keys are generated by a cryptographic module, and provided to an individual. The individual shares the public key with others he expects will send him or her encrypted messages known as cipher text, while maintaining the secrecy of his or her private key. In order to bind the public key and the identity of the individual owner of the public key and private key pair, referred to herein as the xe2x80x9cprincipalxe2x80x9d, a trusted party known as a xe2x80x9ccertificate authorityxe2x80x9d issues a certificate which allows third parties to verify the identity of the principal.
Many users of encryption will select from symmetric and asymmetric encryption methods to suit their needs. For example, symmetric encryption may be used to encrypt and decrypt messages to be sent over unsecure communication facilities. However, if the symmetric encryption key (referred to as a xe2x80x9csession keyxe2x80x9d) must be sent over an unsecure facility, the key itself may be encrypted asymmetrically prior to transmission. The recipient decrypts the session key using his private key, and then uses the session key to decrypt the message. This technique allows the relatively more secure asymmetric encryption to be used to secure the session key, while the faster-to-use symmetric encryption is used to secure the message.
If a file is being secured, many users will use the most secure method available. Because asymmetric encryption can be more secure than symmetric encryption, many users will use asymmetric encryption to encrypt stored data they wish to secure.
To ensure security of the private key, only the principal has access to it. Because the private key may be a lengthy string of difficult-to-remember bytes or characters, the private key may be DES-encrypted using a key password, which can be easier for the principal to remember. The encrypted private key is then stored, for example by a decryption program, and is accessible only with the key password. To use the private key, the principal types the key password to the decryption program or other program which stores the encrypted private key. The key password is used to decrypt the private key, and the decrypted private key is used to decrypt the message, file or other information encrypted using the public key. In the event that the principal loses or forgets his private key or the key password, it is virtually impossible to decrypt messages encrypted using the recipient""s public key. It is not uncommon for a principal to lose or forget his or her private key or private key password.
Another problem results if the principal works in an organization. If the principal is the only person who knows the private key, and the principal dies or leaves the employment of the company that owns the encrypted information, the company will not have access to the encrypted information.
To allow the recovery of a lost, forgotten or unavailable private key, some certificate authorities keep a copy of each private key in a vault or other form of key escrow. However, a breach of security would allow an intruder to steal the private key and decrypt any message sent to the principal. In addition, to ensure the highest levels of security, some principals may not wish to allow third parties such as certificate authorities to keep copies of their private key.
Therefore, there is a need for a method and system to encrypt a key or key password to allow the key or key password to be securely stored and to allow the encrypted key or key password to be recovered by the principal or his or her organization if the private key or key password is lost or otherwise unavailable to a person authorized to use it.
A system and method encrypts a principal""s private key or key password for archival. Private information of the principal such as mother""s maiden name and social security number is encoded, for example by hashing. The result of this encoding is used to symmetrically encrypt the private key or key password. The encrypted private key or key password is again encrypted, for example asymmetrically using the public key of a trusted party such as a certification authority as the encryption key. The result, known as a key recovery file, may be stored by the principal or other party trusted by the principal. If the principal""s private key or key password is forgotten, lost or becomes unavailable to a party authorized to retrieve it, the stored key recovery file may be decrypted as described in copending application Ser. No. 08/954,170.